US10148664B2ActiveUtilityA1

Utilizing transport layer security (TLS) fingerprints to determine agents and operating systems

Assignee: PAYPAL INCPriority: Aug 16, 2016Filed: Sep 8, 2016Granted: Dec 4, 2018
Est. expiryAug 16, 2036(~10.1 yrs left)· nominal 20-yr term from priority
G06N 7/01H04L 63/1441H04L 63/166G06F 21/44H04L 63/101H04L 63/1425G06F 16/22G06F 21/316G06F 21/00H04W 12/06G06F 16/9535H04L 63/10G06F 17/30867G06F 17/30312G06N 7/005
79
PatentIndex Score
4
Cited by
27
References
13
Claims

Abstract

A computer system receives, from a first set of computing devices, a first information. The computer system creates a model based on the first information, wherein the model correlates one or more TLS fingerprints to one or more agents. The computer system receives a second information, wherein the second information includes a TLS fingerprint. The computer system determines a predicted operating system based on comparing the TLS fingerprint to the model.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system, comprising:
 a first computing device configured to perform first operations comprising:
 extracting a first transport layer security (TLS) fingerprint from an initial communication of a TLS handshake, wherein the initial communication is included in a received first information; and 
 in response to a detecting a mobile application related request, transmitting a second information detailing the first TLS fingerprint to a second computing device; and 
 
 the second computing device configured to perform, responsive to receiving the second information detailing the first TLS fingerprint, second operations comprising:
 determining a predicted operating system based on comparing the first TLS fingerprint to a model including historical information correlating one or more received TLS fingerprints to one or more operating systems; and 
 determining whether the predicted operating system corresponds to a mobile device, wherein the historical information further correlates the one or more fingerprints to one or more agents, and wherein the second operations further comprise:
 determining a predicted agent comprising a type of web browser based on comparing the first TLS fingerprint to the model; 
 determining whether the predicted agent and the predicted operating system correspond to a mobile device; and 
 based on determining that the predicted agent and the predicted operating system do not correspond to a mobile device, adding the first TLS fingerprint to a black list. 
 
 
 
     
     
       2. The system of  claim 1 , wherein the determining a predicted operating system based on comparing the first TLS fingerprint to the model comprises:
 determining a probability for each of a set of operating systems of the one or more operating systems, wherein the probability represents a likelihood that an operating system is correlated with the first TLS fingerprint; and 
 determining an operating system from the set of operating systems that has a highest probability. 
 
     
     
       3. The system of  claim 1 , the second operations further comprising:
 receiving a third information detailing a second TLS fingerprint; and 
 based on determining that the second TLS fingerprint contained in the third information matches a TLS fingerprint on the black list, blocking communication with a computing device associated with the second TLS fingerprint contained in the third information. 
 
     
     
       4. The system of  claim 1 , the second operations further comprising:
 based on determining that the predicted agent and the predicted operating system do correspond to a mobile device, adding the first TLS fingerprint to a white list. 
 
     
     
       5. The system of  claim 4 , the second operations further comprising:
 receiving a third information detailing a second TLS fingerprint; and 
 based on determining that the second TLS fingerprint contained in the third information matches a TLS fingerprint contained on the white list, allowing communication with a computing device associated with the second TLS fingerprint contained in the third information. 
 
     
     
       6. A method comprising:
 receiving, from a first set of computing devices, a first information, wherein the received first information includes one or more initial communications corresponding to one or more transport layer security (TLS) handshakes; 
 creating a model based on the first information, wherein the model correlates one or more TLS fingerprints to one or more operating systems, wherein the one or more TLS fingerprints are retrieved from the one or more initial communications; 
 receiving a second information, wherein the second information includes a first TLS fingerprint; and 
 determining a predicted operating system based on comparing the first TLS fingerprint to the model, wherein the model further correlates the one or more fingerprints to one or more agents, and wherein the method further comprises:
 determining a predicted agent comprising a type of web browser based on comparing the first TLS fingerprint to the model; 
 determining whether the predicted agent and the predicted operating system correspond to a mobile device; and 
 based on determining that the predicted agent and the predicted operating system do not correspond to a mobile device, adding the first TLS fingerprint to a black list. 
 
 
     
     
       7. The method of  claim 6 , wherein determining a predicted operating system based on corn paring the first TLS fingerprint to the model comprises:
 determining a probability for each of a set of operating systems of the one or more operating systems, wherein the probability represents a likelihood that an operating system is correlated with the first TLS fingerprint; and 
 determining an operating system from the set of operating systems that has the highest probability. 
 
     
     
       8. The method of  claim 6 , further comprising:
 receiving a third information detailing a second TLS fingerprint; and 
 based on determining that the second TLS fingerprint contained in the third information matches a TLS fingerprint on the black list, blocking communication with a computing device associated with the second TLS fingerprint contained in the third information. 
 
     
     
       9. The method of  claim 6 , further comprising:
 based on determining that the predicted agent and the predicted operating system do correspond to a mobile device, adding the first TLS fingerprint to a white list; 
 receiving a third information detailing a second TLS fingerprint; and 
 based on determining that the second TLS fingerprint contained in the third information matches a TLS fingerprint contained on the white list, allowing communication with a computing device associated with the second TLS fingerprint contained in the third information. 
 
     
     
       10. A computer program product, comprising:
 one or more computer-readable tangible storage devices, and program instructions stored on at least one of the one or more storage devices, the program instructions when executed cause a machine to perform operations comprising:
 receiving, from a first set of computing devices, a first information, wherein the received first information includes one or more initial communications of one or more transport layer security (TLS) handshakes; 
 creating a model based on the first information, wherein the model correlates one or more TLS fingerprints to one or more operating systems, wherein the one or more TLS fingerprints are retrieved from the one or more initial communications; 
 receiving a second information, wherein the second information includes a first TLS fingerprint; 
 determining a predicted operating system based on comparing the first TLS fingerprint to the model; and 
 determining whether the predicted operating system corresponds to a mobile device, wherein the model further correlates the one or more fingerprints to one or more agents, and wherein the operations further comprise:
 determining a predicted agent comprising a type of web browser based on comparing the first TLS fingerprint to the model; 
 determining whether the predicted agent and the predicted operating system correspond to a mobile device; and 
 based on determining that the predicted agent and the predicted operating system do not correspond to a mobile device, adding the first TLS fingerprint to a black list. 
 
 
 
     
     
       11. The computer program product of  claim 10 , wherein determining a predicted operating system based on comparing the first TLS fingerprint to the model comprises:
 determining a probability for each of a set of operating systems of the one or more operating systems, wherein the probability represents a likelihood that an operating system is correlated with the first TLS fingerprint; and 
 determining an operating system from the set of operating systems that has the highest probability. 
 
     
     
       12. The computer program product of  claim 10 , the operations further comprising:
 receiving a third information detailing a second TLS fingerprint; and 
 based on determining that the second TLS fingerprint contained in the third information matches a TLS fingerprint on the black list, blocking communication with a computing device associated with the second TLS fingerprint contained in the third information. 
 
     
     
       13. The computer program product of  claim 10 , the operations further comprising:
 based on determining that the predicted agent and the predicted operating system do correspond to a mobile device, adding the first TLS fingerprint to a white list; 
 receiving a third information detailing a second TLS fingerprint; and 
 based on determining that the second TLS fingerprint contained in the third information matches a TLS fingerprint contained on the white list, allowing communication with a computing device associated with the second TLS fingerprint contained in the third information.

Join the waitlist — get patent alerts

Track US10148664B2 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.